Re: Why don't we allow DNS names in pg_hba.conf? - Mailing list pgsql-hackers

From Andrew Dunstan
Subject Re: Why don't we allow DNS names in pg_hba.conf?
Date
Msg-id 43BAB5C3.4060906@dunslane.net
Whole thread Raw
In response to Re: Why don't we allow DNS names in pg_hba.conf?  (Euler Taveira de Oliveira <eulerto@yahoo.com.br>)
Responses Re: Why don't we allow DNS names in pg_hba.conf?
List pgsql-hackers

Euler Taveira de Oliveira wrote:

>--- "Jim C. Nasby" <jnasby@pervasive.com> escreveu:
>
>  
>
>>I don't know if the normal DNS libraries allow this, but it would be
>>cool if you could specify that an entry in pg_hba.conf could be
>>looked
>>up from /etc/hosts, but not from generic DNS. AFAIK that would
>>eliminate
>>the possibility of spoofing.
>>
>>    
>>
>Take a look at 'man /etc/host.conf'.
>
>
>  
>

That won't work for per application settings. I think this is a non starter.

I have been thinking more about possible real world use cases for this 
facility. I suspect they will be comparatively rare. In cases where you 
don't trust DNS you shouldn't use it, and in cases where you do you 
probably know the address(es) anyway. If the change is simple it's worth 
doing, but it's not a huge leap. The biggest wrinkle will probably be 
handling names that map to multiple addresses.

One thing that bothers me slightly is that we would need to look up each 
name (at least until we found a match) for each connection. If you had 
lots of names in your pg_hba.conf that could be quite a hit. We need to 
test this not with one but with a couple of hundred names, maybe, to see 
what the hit is like.

cheers

andrew


pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: [Bizgres-general] WAL bypass for INSERT, UPDATE and
Next
From: Tom Lane
Date:
Subject: Re: [Bizgres-general] WAL bypass for INSERT, UPDATE and